Viruses in system32 folder

Viruses and worms
21

Install the firewall before the next hijackthis log. If we haven’t removed everything you still could find malware downloading. The firewall will help prevent this and the next hijackthis log will help us see if this happened or if we missed something.

22

Ok, I searched the whole c drive and I can’t find wvvtsr.dll and opmkjh.dll

23

Ok, I think i’ve done everything you’ve asked. Here’s the hijack this log, oh and by the way thanks for all this help! ;D

Logfile of HijackThis v1.99.1
Scan saved at 11:57:32 AM, on 4/14/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\mine\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\tmp8C.tmp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {B6F1A4CB-DADD-4D0C-BDFC-E945647302C1} - c:\wmplayer.dll (file missing)
O2 - BHO: (no name) - {cb97713c-658a-43a7-8d4f-bffdc4eb9bea} - C:\WINDOWS\system32\din700.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [SoundService] rundll32.exe “C:\WINDOWS\wvvtsr.dll”,setvm
O4 - HKLM..\Run: [BootService] rundll32.exe “C:\WINDOWS\opmkjh.dll”,realset
O4 - HKLM..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MS_update_0704_KB74073.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: din700 - din700.dll (file missing)
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\ie_updater.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\System32\PnkBstrB.exe

24

Please download OTMoveIt by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\System32\svehost.exe
c:\documents and settings\All Users\start menu\programs\startup\MS_update_0704_KB74073.exe

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Now make sure your folder options is still set to Show Hidden Files and Folders. Boot into safe mode. Look for and rename these files

C:\WINDOWS\wvvtsr.dll rename to C:\WINDOWS\wvvtsr.old

C:\WINDOWS\opmkjh.dll rename to C:\WINDOWS\opmkjh.old

Boot back into normal mode and send the 2 renamed files to virus total and post the results of the scans.

Then run Deckard’s System Scanner again and post the entire log in multiple, consecutive posts.

Also, if you’ve done anything financial on this computer (banking, eBay, etc) you should notify these institutions of your situation and start changing paswords from a different computer (this computer is almost clean but we have a couple more steps).

I went into windows in my c drive then went into temp, there was a folder there _avast4_ i went into and theres a file there trzC.tmp
Does this file still exist?
25

I downloaded OTMove it and did all that but when I try to boot into safe mode it doesn’t work. Do you know whats wrong? I tried 5 times to get it but it still wouldn’t.

26

The malware may be preventing you from booting into safemode.

If you 've already moved those files with OTMoveIt try again to find and rename C:\WINDOWS\wvvtsr.dll and C:\WINDOWS\opmkjh.dll. Whether or not you’re able to rename them run Deckards System Scanner in normal mode and post the log.

27

Nevermind I finally go it. Heres the OTMoveIt log.

File/Folder C:\WINDOWS\System32\svehost.exe not found.
c:\documents and settings\All Users\start menu\programs\startup\MS_update_0704_KB74073.exe moved successfully.

Created on 04/15/2007 05:03:23

I also couldn’t find the 2 files. I used the microsoft search thing, and I looked for a bit myself too. Are these files critical for my system, like do I need them for my system?

28

Oh, and even at system start, it says Cannot find file c:\WINDOWS\wvvtsr.dll for both files.

29

Heres the DSS log

Deckard’s System Scanner v20070411.38
Run by mine on 2007-04-15 at 05:52:10
Computer is in Normal Mode.

– HijackThis (run as mine.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:52:45 AM, on 4/15/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\mine\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\mine.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\tmp8C.tmp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {B6F1A4CB-DADD-4D0C-BDFC-E945647302C1} - c:\wmplayer.dll (file missing)
O2 - BHO: (no name) - {cb97713c-658a-43a7-8d4f-bffdc4eb9bea} - C:\WINDOWS\system32\din700.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [SoundService] rundll32.exe “C:\WINDOWS\wvvtsr.dll”,setvm
O4 - HKLM..\Run: [BootService] rundll32.exe “C:\WINDOWS\opmkjh.dll”,realset
O4 - HKLM..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: din700 - din700.dll (file missing)
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\ie_updater.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\System32\PnkBstrB.exe

30

– Files created between 2007-03-15 and 2007-04-15 -----------------------------

2008-11-27 18:14:34 56832 -----n— C:\WINDOWS\System32\iyvu9_32.dll
2008-11-27 18:14:34 143872 -----n— C:\WINDOWS\System32\iacenc.dll
2007-04-15 01:37:24 0 d-------- C:\Documents and Settings\mine\Application Data\Turbine
2007-04-15 01:29:06 2297552 --a------ C:\WINDOWS\System32\d3dx9_26.dll
2007-04-15 01:24:08 0 d-------- C:\WINDOWS\System32\URTTemp
2007-04-14 12:33:12 0 d-------- C:\Documents and Settings\mine\Application Data\GetRightToGo<GETRIG~1>
2007-04-14 11:48:59 0 d-------- C:\Documents and Settings\mine\Application Data\Comodo
2007-04-14 11:48:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-04-14 11:47:22 51328 --a------ C:\WINDOWS\System32\drivers\inspect.sys
2007-04-14 11:47:22 75520 --a------ C:\WINDOWS\System32\drivers\cmdmon.sys
2007-04-14 11:47:21 0 d-------- C:\Program Files\Comodo
2007-04-14 11:07:08 3968 --a------ C:\WINDOWS\System32\drivers\AvgAsCln.sys
2007-04-13 09:45:28 0 d-------- C:\Program Files\IObit
2007-04-12 06:44:17 200704 --a------ C:\WINDOWS\System32\teulKit.dll
2007-04-12 06:44:17 0 d-------- C:\Program Files\Netscape
2007-04-12 06:44:16 0 d-------- C:\Program Files\Playnet
2007-04-12 06:41:43 0 d-------- C:\Program Files\CRS
2007-04-11 07:44:41 0 d-------- C:\Documents and Settings\mine\Application Data\SlySoft
2007-04-11 07:43:32 0 d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2007-04-08 09:44:50 0 d-------- C:\Documents and Settings\mine\Application Data\Azureus
2007-04-07 11:42:13 0 d-------- C:\Documents and Settings\mine\Application Data\SystemRequirementsLab<SYSTEM~1>
2007-04-07 11:42:09 0 d-------- C:\WINDOWS\Sun
2007-04-07 11:42:09 0 d-------- C:\Documents and Settings\mine\Application Data\Sun
2007-04-07 11:41:12 0 d-------- C:\Program Files\Java
2007-04-07 11:39:50 0 d-------- C:\Program Files\Common Files\Java
2007-04-07 11:39:24 671 --a------ C:\WINDOWS\mozver.dat
2007-04-06 13:36:17 646392 --a------ C:\WINDOWS\System32\drivers\sptd.sys
2007-04-04 08:46:38 0 d-------- C:\Documents and Settings\mine\Application Data\Talkback
2007-04-04 08:46:07 0 --a------ C:\WINDOWS\nsreg.dat
2007-04-04 07:13:06 8192 --a------ C:\WINDOWS\System32\kbdkor.dll
2007-04-04 07:13:06 8704 --a------ C:\WINDOWS\System32\kbdjpn.dll
2007-04-04 07:13:06 6144 --a------ C:\WINDOWS\System32\kbd106.dll
2007-04-04 07:13:06 5632 --a------ C:\WINDOWS\System32\kbd103.dll
2007-04-04 07:13:06 6144 --a------ C:\WINDOWS\System32\kbd101c.dll
2007-04-04 07:13:06 6144 --a------ C:\WINDOWS\System32\kbd101b.dll
2007-04-03 02:53:57 22584 --a------ C:\WINDOWS\System32\drivers\PnkBstrK.sys
2007-04-03 02:53:53 99904 --a------ C:\WINDOWS\System32\PnkBstrB.exe
2007-04-03 02:53:47 63040 --a------ C:\WINDOWS\System32\PnkBstrA.exe
2007-04-03 02:53:47 0 d-------- C:\WINDOWS\System32\LogFiles
2007-04-02 06:46:46 0 d-------- C:\Program Files\SystemRequirementsLab<SYSTEM~1>
2007-03-28 09:18:09 0 d-------- C:\Documents and Settings\mine\Application Data\Lavasoft
2007-03-28 09:17:59 0 d-------- C:\Program Files\Lavasoft
2007-03-26 10:26:35 0 d-------- C:\WINDOWS\LastGood
2007-03-25 04:31:51 0 d-------- C:\WINDOWS\System32\appmgmt
2007-03-21 20:27:47 0 d-------- C:\Documents and Settings\mine\Application Data\Xfire
2007-03-21 20:27:46 0 d—s---- C:\Program Files\Xfire

– Find3M Report ---------------------------------------------------------------

2007-04-15 05:42:14 24 --a------ C:\WINDOWS\System32\DVCStateBkp-{00000002-00000000-0000000A-00001102-00000004-00511102}.dat<DVCSTA~2.DAT>
2007-04-15 05:42:14 24 --a------ C:\WINDOWS\System32\DVCState-{00000002-00000000-0000000A-00001102-00000004-00511102}.dat<DVCSTA~1.DAT>
2007-04-15 01:33:03 0 d—s---- C:\Documents and Settings\mine\Application Data\Microsoft<MICROS~1>
2007-04-14 02:42:43 90112 --a------ C:\WINDOWS\System32\AVASTSS.scr
2007-04-12 06:38:07 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2007-04-12 06:03:45 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-04-10 06:18:32 712832 --a------ C:\WINDOWS\System32\aswBoot.exe
2007-04-08 09:39:54 0 d–h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-04-04 08:46:04 0 d-------- C:\Documents and Settings\mine\Application Data\Mozilla
2007-03-28 09:26:56 0 d-------- C:\Program Files\Soldat
2007-03-06 17:57:31 0 d-------- C:\Program Files\Activision<ACTIVI~1>
2007-03-04 21:25:41 0 d-------- C:\Program Files\Common Files\InstallShield<INSTAL~1>
2007-02-19 00:10:09 0 d-------- C:\Documents and Settings\mine\Application Data\Ahead
2007-02-15 21:54:48 0 d–h----- C:\Program Files\WindowsUpdate<WINDOW~2>
2007-02-15 21:53:34 0 d-------- C:\Program Files\Guild Wars<GUILDW~1>
2007-02-14 21:08:13 0 -ra------ C:\logwmemory.bin<LOGWME~1.BIN>
2007-02-14 13:19:14 347 --a------ C:\WINDOWS\ereg077.dat

31

– Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“msnmsgr”=“"C:\Program Files\MSN Messenger\msnmsgr.exe" /background”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup”
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe”
“NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit”
“SoundService”=“rundll32.exe "C:\WINDOWS\wvvtsr.dll",setvm”
“BootService”=“rundll32.exe "C:\WINDOWS\opmkjh.dll",realset”
“Intel system tool”=“C:\WINDOWS\System32\svehost.exe”
“!AVG Anti-Spyware”=“"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized”
“COMODO Firewall Pro”=“"C:\Program Files\Comodo\Firewall\CPF.exe" /background”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
“Installed”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
“NoChange”=“1”
“Installed”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
“Installed”=“1”

[HKEY_USERS.default\software\microsoft\windows\currentversion\runonce]
“RunNarrator”=“Narrator.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“AVG Anti-Spyware 7.5”

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
“Windows update loader”=“C:\Windows\xpupdate.exe”

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“DisableRegistryTools”=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\Shell]

[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\system]
“Wallpaper”=“”

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
“Wallpaper”=“”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=“”
“LinkResolveIgnoreLinkInfo”=dword:00000000
“NoResolveSearch”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“LinkResolveIgnoreLinkInfo”=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]
“NoActiveDesktop”=dword:00000000
“ForceActiveDesktopOn”=dword:00000001

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
“NoActiveDesktop”=dword:00000000
“ForceActiveDesktopOn”=dword:00000001

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\din700
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\partnershipreg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
“SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

– End of Deckard’s System Scanner: finished at 2007-04-15 at 05:53:08 ---------

32

svehost.exe is a worm trojan (not the same as svchost.exe which you musn’t delete). we need to get rid of that.

I’m not 100% sure that wvvtsr.dll and opmkjh.dll are malware so I’m reluctant to delete them without testing them first. I’m quite sure they’re not typical system files.

Go ahead and post the DSS log and we will disable what we need to from there.

EDIT: Sorry - you and I are typing at the same time.

33

the only svehost.exe file I found was the backup in the SDFix folder.

34

Open HijackThis and click Do a System Scan Only. When it finishes place a check mark next to these lines

O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\tmp8C.tmp.dll (file missing)

O2 - BHO: (no name) - {B6F1A4CB-DADD-4D0C-BDFC-E945647302C1} - c:\wmplayer.dll (file missing)

O2 - BHO: (no name) - {cb97713c-658a-43a7-8d4f-bffdc4eb9bea} - C:\WINDOWS\system32\din700.dll (file missing)

O4 - HKLM..\Run: [SoundService] rundll32.exe “C:\WINDOWS\wvvtsr.dll”,setvm

O4 - HKLM..\Run: [BootService] rundll32.exe “C:\WINDOWS\opmkjh.dll”,realset

O4 - HKLM..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe

O20 - Winlogon Notify: din700 - din700.dll (file missing)

O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)

O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\ie_updater.exe (file missing)

Click the button labled Fix Checked. Reboot. If you’re able to find svehost.exe now rename it svehost.old (again, third character E not C).

I would like you to try to update your Windows Service Pack now to at least SP1 (preferably SP2). We still need to locate those three files but fixing those lines in hjt should prevent them from loading. Without at least SP1 your computer will not stay clean very long.

35

OK - cool. Are wvvtsr.dll and opmkjh.dll there too? I didn’t see any of them in the log.

Oh, and what about trzC.tmp? Is it still around?

36

I think im getting SP2 soon. Oh so in the backups for SDFix, I still rename svehost.exe to svehost.old? The other two files aren’t in the SDFix folder. Ill check about the trzc.tmp

37

In the avast4 folder (where the trzC.tmp was found) I found 3 files named unp23423423.tmp, and the others random numbers behind unp. But I scanned them and put them in the chest, and they seem to be fine now. No other files appeared after I put them in the chest.

38

These files are temporary files created while avast is scanning archives…
For some strange reason (bad scanning, power failure?) they remain there.
It’s ok if you send them to Chest.

39

No , you don’t need to rename it. Since I didn’t see it in the SDFix log I assumed in was still in the system32 directory and I was getting a little frustrated trying to make it go away. Its fine where it is - we’ll delete the backups later.

Go ahead and fix the lines in hjt I posted above and reboot. Then let me know if you can find C:\WINDOWS\wvvtsr.dll, opmkjh.dll, or trzc.tmp. You might check the AVG log too - there’s a good chance they were removed with that scan.

40

Thanks Tech. I suspected it was something like this but with so much malware to be cleaned I wanted to make very sure. Now we can concentrate on wvvtsr.dll and opmkjh.dll.